Re: lots of port 0 scannings

[Neil Dickey <neil () geol niu edu>]

"SB CH" <chulmin2 () hotmail com> wrote asking:

> I found lots of port 0 traffic from various conuntry these days like this.
>
> [**] [1:524:5] BAD TRAFFIC tcp port 0 traffic [**]

You don't say how these alerts were generated, but it looks like Snort,
so I'll operate under that assumption.  These messages don't appear in
the rules files for the current version of Snort; what version are you
using?

That said ...

> and what's the meaning about this scan?
>
> [**] [116:55:1] (snort_decoder): Truncated Tcp Options [**]

... this looks like it could be T/TCP stuff, which I have seen originate
from Windows and Mac web browsers.  Are you hosting any websites?  I see
traffic like this pointed at mine, but the message is different because
the rules files I'm using are doubtless different from yours.  When I
check my web server logs for the source IP and the time, I have so far
always found that these alerts are generated during legitimate sessions.

Do a Google on the search string "T/TCP" and you'll find out what it is
in detail.  Briefly, it stands for "Transaction TCP", and is a means of
dispensing with the normal 3-way handshake used to initialize a TCP
connection.  I believe it originated with Microsoft.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------